In December 2013, Microsoft issued a public pledge to increase security measures across the company's entire product line to counteract what Microsoft's general counsel and executive vice president Brad Smith characterizes as "a broader and concerted effort by some governments to circumvent online security measures — and in our view, legal processes and protections — in order to surreptitiously collect private customer data."

Adding Transport Layer Security (TLS) to Outlook

As of the beginning of July 2014, both incoming and outgoing mail on Outlook are protected by Transport Layer Security (TLS). As such, if you send an email to someone on a network that also supports TLS, the email is encrypted in transit. In the statement, Microsoft names the Russian organizations Yandex and Mail.ru, as well as Deutsche Telekom, as groups that it has worked with to implement and test the deployment of TLS to ensure that email remains secure in transit.

The fact that mail is encrypted in transit is an important distinction. While this implementation of TLS is a welcome change that arguably does increase security, it does not do anything for messages that are stored on Microsoft's servers. In the announcement, no mention was made of any method through which stored mail is encrypted. Consequently, it seems any organization that can gain access to the server, or gain the cooperation of Microsoft, still retain the ability to read stored mail, independent of the method used to transfer the message.

Earlier this year, Microsoft did enable S/MIME in Office 365, which could potentially be an indicator that this feature could be forthcoming for users of the Outlook Web App.

Adding Perfect Forward Secrecy (PFS) to OneDrive and Outlook

Outlook now has Perfect Forward Secrecy (PFS), which allows for encryption support for sending and receiving mail between different providers. PFS employs a new key for every connection, which limits the amount of data that could be retrieved if a key is cracked, and complicates matters for those seeking to crack keys. This protection is also extended to OneDrive, as transmitted data is now encrypted with forward secrecy for the OneDrive web interface, mobile applications, and sync clients.

The introduction of the Microsoft Transparency Center

Perhaps most curious in this round of updates is the opening of the Microsoft Transparency Center in Redmond, Washington, which, according to Microsoft will "provide participating governments with the ability to review source code for our key products, assure themselves of their software integrity, and confirm there are no 'back doors.'"

No reasonable person should expect Microsoft to open the source of its products for just anyone to audit, but the limitation of such privileges to only government agents appears to be a wholly transparent attempt to assuage the concerns of various foreign governments about the integrity of Microsoft products in light of recent disclosures. At the GigaOm Structure conference last month, Smith stated, "We are seeing other governments consider new procurement rules — procurement rules that could effectively freeze out US-based companies." Although this level of transparency is a welcome step, extending this privilege to security researchers would be perhaps a more full-throated defense of the company's position.